Merge branch 'PHP-8.2' into PHP-8.3

iluuu1994 · iluuu1994 · commit 5eddcb313ed4 · 2024-10-22T14:48:58.000+02:00
* PHP-8.2:
  Fix propagation of ZEND_ACC_RETURN_REFERENCE for call trampoline
diff --git a/NEWS b/NEWS
@@ -13,6 +13,8 @@ PHP                                                                        NEWS
   . Fixed bug GH-16168 (php 8.1 and earlier crash immediately when compiled
     with Xcode 16 clang on macOS 15). (nielsdos)
   . Fixed bug GH-16371 (Assertion failure in Zend/zend_weakrefs.c:646). (Arnaud)
+  . Fixed bug GH-16515 (Incorrect propagation of ZEND_ACC_RETURN_REFERENCE for
+    call trampoline). (ilutov)
 
 - Curl:
   . Fixed bug GH-16302 (CurlMultiHandle holds a reference to CurlHandle if
diff --git a/Zend/tests/gh16515.phpt b/Zend/tests/gh16515.phpt
@@ -0,0 +1,16 @@
+--TEST--
+GH-16515: Incorrect propagation of ZEND_ACC_RETURN_REFERENCE for call trampoline
+--FILE--
+<?php
+
+namespace Foo;
+
+class Foo {
+    public function &__call($method, $args) {}
+}
+
+call_user_func((new Foo)->bar(...));
+
+?>
+--EXPECTF--
+Notice: Only variable references should be returned by reference in %s on line %d
diff --git a/Zend/zend_closures.c b/Zend/zend_closures.c
@@ -860,7 +860,7 @@ void zend_closure_from_frame(zval *return_value, zend_execute_data *call) { /* {
 
 		memset(&trampoline, 0, sizeof(zend_internal_function));
 		trampoline.type = ZEND_INTERNAL_FUNCTION;
-		trampoline.fn_flags = mptr->common.fn_flags & (ZEND_ACC_STATIC | ZEND_ACC_VARIADIC);
+		trampoline.fn_flags = mptr->common.fn_flags & (ZEND_ACC_STATIC | ZEND_ACC_VARIADIC | ZEND_ACC_RETURN_REFERENCE);
 		trampoline.handler = zend_closure_call_magic;
 		trampoline.function_name = mptr->common.function_name;
 		trampoline.scope = mptr->common.scope;
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
@@ -1345,7 +1345,10 @@ ZEND_API zend_function *zend_get_call_trampoline_func(const zend_class_entry *ce
 	func->arg_flags[0] = 0;
 	func->arg_flags[1] = 0;
 	func->arg_flags[2] = 0;
-	func->fn_flags = ZEND_ACC_CALL_VIA_TRAMPOLINE | ZEND_ACC_PUBLIC | ZEND_ACC_VARIADIC;
+	func->fn_flags = ZEND_ACC_CALL_VIA_TRAMPOLINE
+		| ZEND_ACC_PUBLIC
+		| ZEND_ACC_VARIADIC
+		| (fbc->common.fn_flags & ZEND_ACC_RETURN_REFERENCE);
 	if (is_static) {
 		func->fn_flags |= ZEND_ACC_STATIC;
 	}
